Is WebGL a Security Problem?

Researchers from Context Information Security have warned that the WebGL standard undermines the security concept practiced by current operating system versions and offers up new attack surfaces. WebGL extends the capability of the JavaScript programming language to allow it to generate interactive 3D graphics within compatible web browsers without requiring plugins.

WebGL, managed by the non-profit Khronos Group, is a context of the canvas HTML element that provides a 3D computer graphics API without the use of plug-ins.[2] The specification was released as version 1.0 on March 3, 2011.

The researchers report that they have been able to elicit a blue screen of death(BSOD) by using targeted overloading of the graphics cards. According to the report, this could allow an attacker to exploit any security vulnerabilities in the graphics card driver to, for example, inject malicious code onto the system. Although Windows 7 and Vista have a mechanism for resetting an overloaded graphics card after about two seconds, the researchers found that this too results in a blue screen of death after a certain number of resets. What this means is that if a graphics card driver contains vulnerabilities, WebGL could allow injection of malicious code onto a system.

The researchers have released an online demo (http://www.contextis.com/resources/blog/webgl/poc/index.html) to illustrate the problem. In the researchers' opinion, WebGL is simply not yet ready for primetime.

The Khronos group has already specified one extension to OpenGL, GL_ARB_robustness, specifically designed to prevent denial of service and out-of-range memory access attacks from WebGL content, and is continuing to rapidly iterate on security-related functionality.